WSGISocketPrefix /var/run/wsgi
Alias /robots.txt /var/www/html/robots.txt
Alias "/db_dumps/" "/var/www/html/db_dumps/"

WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe processes=4 threads=5 display-name=other maximum-requests=8000 restart-interval=300 graceful-timeout=20
WSGIDaemonProcess api user=copr-fe group=copr-fe processes=2 threads=15 display-name=api maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess api-memory-leak user=copr-fe group=copr-fe processes=2 threads=1 display-name=api-memory-leak maximum-requests=10 graceful-timeout=20
WSGIDaemonProcess backend user=copr-fe group=copr-fe processes=2 threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess stats user=copr-fe group=copr-fe processes=2 threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess tmp user=copr-fe group=copr-fe processes=2 threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess repo user=copr-fe group=copr-fe processes=2 threads=15 display-name=repo maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess packages user=copr-fe group=copr-fe processes=2 threads=2 maximum-requests=10 display-name=packages request-timeout=60
WSGIDaemonProcess builds   user=copr-fe group=copr-fe processes=4 threads=2 maximum-requests=10 display-name=builds   request-timeout=180 socket-timeout=120
# Separate process group just to easily observe what unnecessary trafic goes to
# non-ssl routes.  We should minimize traffic here.
WSGIDaemonProcess port80 user=copr-fe group=copr-fe processes=1 threads=3 maximum-requests=100 display-name=port80 graceful-timeout=10
# Allow large/long uploads, https://pagure.io/copr/copr/issue/1228
WSGIDaemonProcess upload user=copr-fe group=copr-fe processes=2 threads=10 display-name=upload maximum-requests=100 graceful-timeout=1800

WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
WSGIApplicationGroup %{GLOBAL}

<VirtualHost *:80>
    ServerName {{ copr_frontend_public_hostname }}
    ServerAlias copr-fe{% if devel %}-dev{% endif %}.cloud.fedoraproject.org

    # Keep port 80 open for the .repo and certbot URLs
    <Location />
        WSGIProcessGroup port80
    </Location>

    <Directory /usr/share/copr>
        Require all granted
    </Directory>

    RewriteEngine on

{% if letsencrypt is defined %}
    # For ansible.git roles/copr/certbot role.  Needs to run on port 80.
    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
{% endif %}

    # Redirect everything everything but repo files to https://
    RewriteCond %{HTTPS} !on
    RewriteCond %{REQUEST_URI} !/repo/
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
</VirtualHost>

<VirtualHost *:443>
    ServerName {{ copr_frontend_public_hostname }}

    SSLEngine on
    SSLProtocol {{ ssl_protocols }}
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite {{ ssl_ciphers }}
    SSLHonorCipherOrder on
    Header always add Strict-Transport-Security "max-age=31536000; preload"

    SSLCertificateFile      /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem

    WSGIPassAuthorization On

    # Delegate requests to proper WSGIProcessGroup(s).  First move everything to
    # a generic "basket" process-group by default (127.0.0.1), and process there
    # every request... unless there's other - more location specific - rule.
    # This is order sensitive (the last matching rule wins)!
    WSGIProcessGroup 127.0.0.1
    <LocationMatch "^/api.*">
        WSGIProcessGroup api
    </LocationMatch>
    <LocationMatch "^/api.*upload.*">
        WSGIProcessGroup upload
        LimitRequestBody 10737418240
    </LocationMatch>
    <LocationMatch "^/api_3/package/list.*">
        WSGIProcessGroup api-memory-leak
    </LocationMatch>
    <LocationMatch "^/coprs.*new_build_upload.*">
        WSGIProcessGroup upload
        LimitRequestBody 10737418240
    </LocationMatch>
    <Location /backend>
        WSGIProcessGroup backend
    </Location>
    <Location /stats_rcv>
        WSGIProcessGroup stats
    </Location>
    <Location /tmp>
        WSGIProcessGroup tmp
    </Location>
    <LocationMatch "/repo/">
        WSGIProcessGroup repo
    </LocationMatch>
    <LocationMatch "^/coprs/.*/packages/">
        WSGIProcessGroup packages
        <RequireAll>
            Require all granted
            Require not ip 192.47.255.254
        </RequireAll>
    </LocationMatch>
    <LocationMatch "^/coprs/.*/builds/">
        WSGIProcessGroup builds
    </LocationMatch>

    <Directory /usr/share/copr>
        Require all granted
    </Directory>

{% if copr_kerberos_auth_enabled %}
    <LocationMatch /api_3/gssapi_login/>
        AuthType GSSAPI
        AuthName "Fedoraproject GSSAPI/krb5 Credentials"
        GssapiBasicAuthMech krb5
        GssapiCredStore keytab:/etc/httpd/conf.d/copr-frontend-http-api.keytab
        Require valid-user
    </LocationMatch>
{% endif %}

    RewriteEngine on
    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]

    # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work
    RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT]
    RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT]
</VirtualHost>

<IfModule mod_status.c>
    ExtendedStatus On
    <Location /server-status>
        SetHandler server-status
        Require all denied
        Require host localhost .redhat.com
    </Location>
</IfModule>

<IfModule mpm_prefork_module>
    StartServers          8
    MinSpareServers       8
    MaxSpareServers       20
    MaxClients            50
    MaxRequestsPerChild   10000
</IfModule>

# vim: ft=apache
